research-article

Towards Efficient Reconstruction of Attacker Lateral Movement

Authors:

Florian Wilkens,

Dominik Kaaser,

Mathias FischerAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 14, Pages 1 - 9

https://doi.org/10.1145/3339252.3339254

Published: 26 August 2019 Publication History

Abstract

Organization and government networks are a target of Advanced Persistent Threats (APTs), i.e., stealthy attackers that infiltrate networks slowly and usually stay undetected for long periods of time. After an attack has been discovered, security administrators have to manually determine which hosts were compromised to clean and restore them. For that, they have to analyze a large number of hosts.

In this paper, we propose an approach to efficiently reconstruct the lateral movement of attackers from a given set of indicators of compromise (IoCs) that can help security administrators to identify and prioritize potentially compromised hosts. To reconstruct attacker paths in a network, we link hosts with IoCs via two methods: k-shortest-paths and biased random walks. To evaluate the accuracy of these approaches in reconstructing attack paths, we introduce three models of attackers that differ in their network knowledge.

Our results indicate that we can approximate the lateral movement of the three proposed attacker models, even when the attacker significantly deviates from them. For insider attackers that deviate up to 75% from our models, the method based on k-shortest-paths achieves a true positive rate of 88% and can significantly narrow down the set of nodes to analyse to 5% of all network hosts.

References

[1]

Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. 2008. A scalable, commodity data center network architecture. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication - SIGCOMM '08. ACM Press.

Digital Library

[2]

Réka Albert and Albert-László Barabási. 2002. Statistical mechanics of complex networks. Reviews of Modern Physics.

[3]

Algorithmics Group, University of Konstanz. 2009. MDSJ: Java Library for Multidimensional Scaling. (2009).

[4]

Paul Ammann, Joseph Pamula, Ronald Ritchey, and Julie Street. 2005. A host-based approach to network attack chaining analysis. Annual Computer Security Applications Conference (ACSAC).

Digital Library

[5]

Ping Chen, Lieven Desmet, and Christophe Huygens. 2014. A Study on Advanced Persistent Threats. Communications and Multimedia Security.

[6]

Edsger W Dijkstra. 1959. A note on two problems in connexion with graphs. Numerische mathematik.

Digital Library

[7]

Albert Greenberg et al. 2009. VL2: A Scalable and Flexible Data Center Network. In Proceedings of the ACM SIGCOMM 2009 conference on Data communication - SIGCOMM '09. ACM Press.

Digital Library

[8]

Steffen Haas and Mathias Fischer. 2018. GAC: Graph-Based Alert Correlation for the Detection of Distributed Multi-Step Attacks. ACM/SIGAPP Symposium On Applied Computing (SAC).

Digital Library

[9]

Peter E Hart, Nils J Nilsson, and Bertram Raphael. 1968. A formal basis for the heuristic determination of minimum cost paths. IEEE transactions on Systems Science and Cybernetics.

[10]

NIST. 2011. Managing Information Security Risk: Organization, Mission, and Information System View. Nist Special Publication.

[11]

Cynthia Phillips and Laura Painton Swiler. 1998. A graph-based system for network-vulnerability analysis. Workshop on New security paradigms.

Digital Library

[12]

Saeed Salah, Gabriel Maciá-Fernández, and Jesús E. Díaz-Verdejo. 2013. A model-based survey of alert correlation techniques. Computer Networks.

Digital Library

[13]

O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. 2002. Automated generation and analysis of attack graphs. IEEE Symposium on Security and Privacy (S&P).

Digital Library

[14]

L. P. Swiler, C. Phillips, D. Ellis, and S. Chakerian. 2001. Computer-attack graph generation tool. DARPA Information Survivability Conference and Exposition DISCEX.

[15]

Symantec. 2016. Internet Security Threat Report 2016. Internet Security Threat Report.

[16]

Martin Ussath, David Jaeger, Feng Cheng, and Christoph Meinel. 2016. Advanced persistent threats: Behind the scenes. In 2016 Annual Conference on Information Science and Systems (CISS). IEEE.

[17]

Lingyu Wang, Anyi Liu, and Sushil Jajodia. 2006. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications.

Digital Library

[18]

Jin Y. Yen. 1971. Finding the K Shortest Loopless Paths in a Network. Management Science.

Cited By

Husák MYang SKhoury JKlisura ĐBou-Harb E(2024)Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and ChallengesDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_9(132-151)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_9
Hahn-Klimroth MKaaser D(2023)On Reconstructing the Patient Zero from Sensor Measurements2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS57875.2023.00065(1-11)Online publication date: Jul-2023
https://doi.org/10.1109/ICDCS57875.2023.00065
Ergenc DSchneider FKling PFischer M(2023)Moving Target Defense for Service-Oriented Mission-Critical Networks2023 32nd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN58024.2023.10230175(1-10)Online publication date: Jul-2023
https://doi.org/10.1109/ICCCN58024.2023.10230175
Show More Cited By

Towards Efficient Reconstruction of Attacker Lateral Movement
1. Social and professional topics
  1. Computing / technology policy

Recommendations

A Graph-Based Impact Metric for Mitigating Lateral Movement Cyber Attacks
SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense

Most cyber network attacks begin with an adversary gaining a foothold within the network and proceed with lateral movement until a desired goal is achieved. The mechanism by which lateral movement occurs varies but the basic signature of hopping between ...
Investigating the Effectiveness of IS Security Countermeasures towards Cyber Attacker Deterrence
HICSS '12: Proceedings of the 2012 45th Hawaii International Conference on System Sciences

The efficacy of information system security countermeasures upon the deterrence of external cyber attackers has not yet been examined. As a result, organizations spend large sums of budgetary dollars upon countermeasures without knowledge of their ...
A Game-Theoretic Approach to Respond to Attacker Lateral Movement
GameSec 2016: 7th International Conference on Decision and Game Theory for Security - Volume 9996

In the wake of an increasing number in targeted and complex attacks on enterprise networks, there is a growing need for timely, efficient and strategic network response. Intrusion detection systems provide network administrators with a plethora of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Bundesministerium für Wirtschaft und Energie

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
297
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)4

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Husák MYang SKhoury JKlisura ĐBou-Harb E(2024)Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and ChallengesDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_9(132-151)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_9
Hahn-Klimroth MKaaser D(2023)On Reconstructing the Patient Zero from Sensor Measurements2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS57875.2023.00065(1-11)Online publication date: Jul-2023
https://doi.org/10.1109/ICDCS57875.2023.00065
Ergenc DSchneider FKling PFischer M(2023)Moving Target Defense for Service-Oriented Mission-Critical Networks2023 32nd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN58024.2023.10230175(1-10)Online publication date: Jul-2023
https://doi.org/10.1109/ICCCN58024.2023.10230175
Green JDrew SHeinen CBixler RRowe contact NBarton A(2023)Evaluating a Planning Product for Active Cyberdefense and Cyberdeception2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE)10.1109/CSCE60160.2023.00395(2451-2456)Online publication date: 24-Jul-2023
https://doi.org/10.1109/CSCE60160.2023.00395
Liang XLi HHuang CChen WChen YGao ZSun MChia H(2023)Outlier-based Anomaly Detection in Firewall Logs2023 International Conference on Communications, Computing, Cybersecurity, and Informatics (CCCI)10.1109/CCCI58712.2023.10290797(1-10)Online publication date: 18-Oct-2023
https://doi.org/10.1109/CCCI58712.2023.10290797
Al-Hawawreh MSitnikova EAboutorab N(2022)X-IIoTID: A Connectivity-Agnostic and Device-Agnostic Intrusion Data Set for Industrial Internet of ThingsIEEE Internet of Things Journal10.1109/JIOT.2021.31020569:5(3962-3977)Online publication date: 1-Mar-2022
https://doi.org/10.1109/JIOT.2021.3102056
Haas SSommer RFischer M(2020)Zeek-Osquery: Host-Network Correlation for Advanced Monitoring and Intrusion DetectionICT Systems Security and Privacy Protection10.1007/978-3-030-58201-2_17(248-262)Online publication date: 14-Sep-2020
https://doi.org/10.1007/978-3-030-58201-2_17

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten